No relevant resource is found in the selected language.

This site uses cookies. By continuing to browse the site you are agreeing to our use of cookies. Read our privacy policy>Search

Reminder

To have a better experience, please upgrade your IE browser.

upgrade

S600-E V200R013C00 Configuration Guide - User Access and Authentication

This document describes the configurations of User Access and Authentication Configuration, including AAA, NAC, and Policy Association.
Rate and give feedback:
Huawei uses machine translation combined with human proofreading to translate this document to different languages in order to help you better understand the content of this document. Note: Even the most advanced machine translation cannot match the quality of professional translators. Huawei shall not bear any responsibility for translation accuracy and it is recommended that you refer to the English document (a link for which has been provided).
RADIUS AAA

RADIUS AAA

Overview of RADIUS

AAA can be implemented using multiple protocols. RADIUS is most frequently used in actual scenarios.

RADIUS is a protocol that uses the client/server model in distributed mode and protects a network from unauthorized access. It is often used on networks that require high security and control remote user access. It defines the UDP-based RADIUS packet format and transmission mechanism, and specifies UDP ports 1812 and 1813 as the default authentication and accounting ports respectively.

At the very beginning, RADIUS was only the AAA protocol used for dial-up users. As user access modes diversifies, such as Ethernet access, RADIUS can also be applied to these access modes. RADIUS provides the access service through authentication and authorization and records the network resource usage of users through accounting.

RADIUS has the following characteristics:

  • Client/Server model

  • Secure message exchange mechanism

  • Fine scalability

Client/Server Model
  • RADIUS client

    RADIUS clients run on the NAS to transmit user information to a specified RADIUS server and process requests (for example, permit or reject user access requests) based on the responses from the server. RADIUS clients can locate at any node on a network.

    As a RADIUS client, a device supports:

    • standard RADIUS protocol and its extensions, including RFC 2865 and RFC 2866

    • Huawei extended RADIUS attributes

    • RADIUS server status detection

    • retransmission of Accounting-Request(Stop) packets in the local buffer

    • active/standby and load balancing functions between RADIUS servers

  • RADIUS server

    RADIUS servers typically run on central computers and workstations to maintain user authentication and network service access information. The servers receive connection requests from users, authenticate the users, and send all required information (such as permitting or rejecting authentication requests) to the clients. A RADIUS server generally needs to maintain three databases, as shown in Figure 1-6.

    Figure 1-6  Databases maintained by a RADIUS server

    • Users: This database stores user information such as user names, passwords, protocols, and IP addresses.
    • Clients: This database stores RADIUS client information, such as the shared keys and IP addresses.
    • Dictionary: This database stores the attributes in the RADIUS protocol and their value descriptions.
Secure Message Exchange Mechanism

Authentication messages between a RADIUS server and RADIUS clients are exchanged using a shared key. The shared key is a character string that is transmitted in out-of-band mode, is known to both clients and the server, and does not need to be transmitted independently on the network.

A RADIUS packet has a 16-octet Authenticator field that contains the digital signature data of the whole packet. The signature data is calculated using the MD5 algorithm and shared key. The RADIUS packet receiver needs to verify whether the signature is correct and discards the packet if the signature is incorrect.

This mechanism improves security of message exchange between RADIUS clients and the RADIUS server. In addition, user passwords contained in RADIUS packets are encrypted using shared keys before the packets are transmitted to prevent the user passwords from being stolen during transmission on an insecure network.

Fine Scalability

A RADIUS packet consists of a packet header and a certain number of attributes. The protocol implementation remains unchanged even if new attributes are added to a RADIUS packet.

RADIUS Packets

RADIUS Packet Format

RADIUS is based on the UDP protocol. Figure 1-7 shows the RADIUS packet format.

Figure 1-7  RADIUS packet format

Each RADIUS packet contains the following information:
  • Code: The Code field is one octet and identifies type of a RADIUS packet. Value of the Code field varies depending on the RADIUS packet type. For example, the value 1 indicates an Access-Request packet and the value 2 indicates an Access-Accept packet.
  • Identifier: The identifier field is one octet, and helps the RADIUS server match requests and responses and detect duplicate requests retransmitted within a certain period. After a client sends a request packet, the server sends a reply packet with the same Identifier value as the request packet.
  • Length: The Length field is two octets and specifies length of a RADIUS packet. Octets outside the range of the Length field must be treated as padding and ignored on reception. If a packet is shorter than the Length field, it must be silently discarded.
  • Authenticator: The Authenticator field is 16 octets. This value is used to authenticate the reply from the RADIUS server and is used in the password hiding algorithm.
  • Attribute: This field is variable in length. RADIUS attributes carry the specific authentication, authorization, accounting information and configuration details for the request and reply pacekts. The Attribute field may contain multiple attributes, each of which consists of Type, Length, and Value. For details, see RADIUS Attributes.

    • Type: The Type field is one octet and indicates the RADIUS attribute ID. The value ranges from 1 to 255.
    • Length: The Length field is one octet, and indicates the length of the RADIUS attribute (including the Type, Length and Value fields). The Length is measured in octets.
    • Value: The maximum length of the Value field is 253 bytes. The Value field contains information specific to the RADIUS attribute. The format and length of the Value field is determined by the Type and Length fields.
RADIUS Packet Type

RADIUS defines 16 types of packets. Table 1-5 describes types of the authentication packets, Table 1-6 describes types of the accounting packets. For RADIUS CoA/DM packets, see RADIUS CoA/DM.

Table 1-5  RADIUS authentication packet

Packet Name

Description

Access-Request

Access-Request packets are sent from a client to a RADIUS server and is the first packet transmitted in a RADIUS packet exchange process. This packet conveys information (such as the user name and password) used to determine whether a user is allowed access to a specific NAS and any special services requested for that user.

Access-Accept

After a RADIUS server receives an Access-Request packet, it must send an Access-Accept packet if all attribute values in the Access-Request packet are acceptable (authentication success). The user is allowed access to requested services only after the RADIUS client receives this packet.

Access-Reject

After a RADIUS server receives an Access-Request packet, it must send an Access-Reject packet if any of the attribute values are not acceptable (authentication failure).

Access-Challenge

During an EAP relay authentication, when a RADIUS server receives an Access-Request packet carrying the user name from a client, it generates a random MD5 challenge and sends the MD5 challenge to the client through an Access-Challenge packet. The client encrypts the user password using the MD5 challenge, and then sends the encrypted password in an Access-Request packet to the RADIUS server. The RADIUS server compares the encrypted password received from the client with the locally encrypted password. If they are the same, the server determines the user is valid.

Table 1-6  RADIUS accounting packet

Packet Name

Description

Accounting-Request(Start)

If a RADIUS client uses RADIUS accounting, the client sends this packet to a RADIUS server before accessing network resources.

Accounting-Response(Start)

The RADIUS server must send an Accounting-Response(Start) packet after the server successfully receives and records an Accounting-Request(Start) packet.

Accounting-Request(Interim-update)

You can configure the real-time accounting function on a RADIUS client to prevent the RADIUS server from continuing user accounting if it fails to receive the Accounting-Request(Stop) packet. The client then periodically sends Accounting-Request(Interim-update) packets to the server, reducing accounting deviation.

Accounting-Response(Interim-update)

The RADIUS server must send an Accounting-Response(Interim-update) packet after the server successfully receives and records an Accounting-Request(Interim-update) packet.

Accounting-Request(Stop)

When a user goes offline proactively or is forcibly disconnected by the NAS, the RADIUS client sends this packet carrying the network resource usage information (including the online duration and number of incoming/outgoing bytes) to the RADIUS server, requesting the server to stop accounting.

Accounting-Response(Stop)

The RADIUS server must send an Accounting-Response(Stop) packet after receiving an Accounting-Request(Stop) packet.

RADIUS Authentication, Authorization, and Accounting Process

A device that functions as a RADIUS client collects user information, including the user name and password, and sends the information to the RADIUS server. The RADIUS server then authenticates users according to the information, after which it performs authorization and accounting for the users. Figure 1-8 shows the information exchange process between a user, a RADIUS client, and a RADIUS server.

Figure 1-8  RADIUS authentication, authorization, and accounting process

  1. A user needs to access a network and sends a connection request containing the user name and password to the RADIUS client (device).
  2. The RADIUS client sends a RADIUS Access-Request packet containing the user name and password to the RADIUS server.
  3. The RADIUS server verifies the user identity:

    • If the user identity is valid, the RADIUS server returns an Access-Accept packet to the RADIUS client to permit further operations of the user. The Access-Accept packet contains authorization information because RADIUS provides both authentication and authorization functions.
    • If the user identity is invalid, the RADIUS server returns an Access-Reject packet to the RADIUS client to reject access from the user.
  4. The RADIUS client notifies the user of whether authentication is successful.
  5. The RADIUS client permits or rejects the user access request according to the authentication result. If the access request is permitted, the RADIUS client sends an Accounting-Request (Start) packet to the RADIUS server.
  6. The RADIUS server sends an Accounting-Response (Start) packet to the RADIUS client and starts accounting.
  7. The user starts to access network resources.
  8. (Optional) If interim accounting is enabled, the RADIUS client periodically sends an Accounting-Request (Interim-update) packet to the RADIUS server, preventing incorrect accounting result caused by unexpected user disconnection.
  9. (Optional) The RADIUS server returns an Accounting-Response (Interim-update) packet and performs interim accounting.
  10. The user sends a logout request.
  11. The RADIUS client sends an Accounting-Request (Stop) packet to the RADIUS server.
  12. The RADIUS server sends an Accounting-Response (Stop) packet to the RADIUS client and stops accounting.
  13. The RADIUS client notifies the user of the processing result, and the user stops accessing network resources.

RADIUS Packet Retransmission Mechanism

When a user is authenticated, a device sends an Access-Request packet to the RADIUS server. To ensure that the device can receive a response packet from the server even if a network fault or delay occurs, a retransmission upon timeout mechanism is used. The retransmission times and retransmission interval are controlled using timers.

As shown in Figure 1-9, 802.1X authentication and client-initiated authentication are used as an example. After receiving an EAP packet (EAP-Response/Identity) containing the user name of the client, the device encapsulates the packet into a RADIUS Access-Request packet and sends the packet to the RADIUS server. The retransmission timer is enabled at the same time. The retransmission timer is composed of the retransmission interval and retransmission times. If the device does not receive any response packet from the RADIUS server when the retransmission interval expires, it sends a RADIUS Access-Request packet again.

Figure 1-9  RADIUS authentication packet retransmission flowchart
The device stops packet retransmission if any of the following conditions is met:
  • The device receives a response packet from the RADIUS server. It then stops packet retransmission and marks the RADIUS server status as Up.
  • The device detects that the RADIUS server status is Down. After the device marks the RADIUS server status as Down:
    • If the number of retransmitted packets has reached the upper limit, the device stops packet retransmission and retains the RADIUS server status to Down.
    • If the number of retransmitted packets has not reached the upper limit, the device retransmits an Access-Request packet once again to the RADIUS server. If the device receives a response packet from the server, it stops packet retransmission and restores the RADIUS server status to Up. Otherwise, it still stops packet retransmission and retains the RADIUS server status to Down.
  • The number of retransmitted packets has reached the upper limit. The device then stops packet retransmission and performs the following:
    • If the device receives a response packet from the RADIUS server, it marks the RADIUS server status as Up.
    • If the device has detected that the RADIUS server status is Down, it marks the server status as Down.
    • If the device receives no response packet from the RADIUS server and does not detect that the server status is Down, the device does not change the server status. Actually, the server does not respond.
      NOTE:

      The device does not definitely mark the status of the server that does not respond as Down. The device marks the server status as Down only if the corresponding conditions are met.

For the RADIUS server status introduction and conditions for a device to mark the server status as Down, see RADIUS Server Status Detection.

RADIUS packet retransmission discussed here applies only to a single server. If multiple servers are configured in a RADIUS server template, the overall retransmission period depends on the retransmission interval, retransmission times, RADIUS server status, number of servers, and algorithm for selecting the servers.

You can set the timer using the following commands:

Command

Description

radius-server retransmit retry-times

Specifies the retransmission times. The default value is 3.

radius-server timeout time-value

Specifies the retransmission interval. The default value is 5 seconds.

RADIUS Server Selection Mechanism

Typically, multiple RADIUS servers are deployed on a large-scale enterprise network. If a server is faulty, user access will not be disrupted. In addition, load balancing is performed between these servers, preventing resources of a single server from being exhausted in the event that a large number of users access the network. If multiple servers are configured in a RADIUS server template and a device needs to send a packet to a server, select one of the following algorithms to select the RADIUS server based on the command configuration.
  • RADIUS server primary/secondary algorithm (default)
  • RADIUS server load balancing algorithm

In addition, the algorithm for selecting a RADIUS server can be set to the single user-based or packet-based algorithm. If the algorithm for selecting a RADIUS server is set to the single user-based algorithm, authentication server information is saved in the authentication phase, and the device preferentially sends an accounting request to the accounting server in the accounting phase when the authentication server is also the accounting server. If the algorithm for selecting a RADIUS server is set to the packet-based algorithm, authentication server information is not saved in the authentication phase, and the accounting server is reselected in the accounting phase, which may result in that authentication and accounting for a user is not performed on the same server.

RADIUS Server Primary/Secondary Algorithm

The primary and secondary roles are determined by the weights configured for the RADIUS authentication servers or RADIUS accounting servers. The server with the largest weight is the primary server. If the weight values are the same, the earliest configured server is the primary server. As shown in Figure 1-10, the device preferentially sends an authentication or accounting packet to the primary server among all servers in Up status. If the primary server does not respond, the device then sends the packet to the secondary server.

Figure 1-10  Diagram for the RADIUS server primary/secondary algorithm
RADIUS Server Load Balancing Algorithm

If this algorithm is used and a device sends an authentication or accounting packet to a server, the device selects a server based on the weights configured for the RADIUS authentication servers or RADIUS accounting servers. As shown in Figure 1-11, RADIUS server1 is in Up status and its weight is 80, and RADIUS server2 is also in Up status and its weight is 20. The possibility for the device to send the packet to RADIUS server1 is 80% [80/(80 + 20)], and that for RADIUS server2 is 20% [20/(80 + 20)].

Figure 1-11  Diagram for the RADIUS server load balancing algorithm

Regardless of which algorithm is used, if all the servers in Up status do not respond to a packet sent by a device, the device retransmits the packet to a server among the servers whose status is originally marked as Down (to which the device has not sent any authentication or accounting packets) based on the server weight. If the device does not receive any response in the current authentication mode, the backup authentication mode is used, for example, local authentication mode. The backup authentication mode needs to be already configured in the authentication scheme. Otherwise, the authentication process ends.

RADIUS Server Status Detection

Availability and maintainability of a RADIUS server are the prerequisites of user access authentication. If a device cannot communicate with the RADIUS server, the server cannot perform authentication or authorization for users. To resolve this issue, the device supports the user escape function upon transition of the RADIUS server status to Down. To be specific, if the RADIUS server goes Down, users cannot be authorized by the server but still have certain network access rights.

The user escape function upon transition of the RADIUS server status to Down can be enabled only after the device marks the RADIUS server status as Down. If the RADIUS server status is not marked as Down and the device cannot communicate with the RADIUS server, users cannot be authorized by the server and the escape function is also unavailable. As a result, users have no network access rights. Therefore, the device must be capable of detecting the RADIUS server status in a timely manner. If the device detects that the RADIUS server status transitions to Down, users can obtain escape rights; if the device detects that the RADIUS server status reverts to Up, escape rights are removed from the users and the users are reauthenticated.

RADIUS Server Status

A device can mark the RADIUS server status as Up, Down, or Force-up. The following table lists descriptions of the three RADIUS server status and their corresponding scenarios.

Status

Whether the RADIUS Server Is Available

Condition for Switching the Server Status

Up The RADIUS server is available.
  • The device initially marks the RADIUS server status as Up.
  • The device marks the RADIUS server status as Up if receiving packets from the server.
Down The RADIUS server is unavailable. The conditions for marking the RADIUS server status as Down are met.
Force-up When no RADIUS server is available, the device selects the RADIUS server in Force-up status. The device marks the RADIUS server status as Force-up if the timer specified by dead-time expires.

The RADIUS server status is initially marked as Up. After a RADIUS Access-Request packet is received and the conditions for marking the RADIUS server status as Down are met, the RADIUS server status transitions to Down. The RADIUS Access-Request packet that triggers the server status transition can be sent during user authentication or constructed by the administrator. For example, the RADIUS Access-Request packet can be a test packet sent when the test-aaa command is run or detection packet sent during automatic detection.

The device changes toe RADIUS server status from Down to Up or to Force-up in the following scenarios:
  • Down to Force-up: The timer specified by dead-time starts after the device marks the RADIUS server status as Down. The timer indicates the duration for which the server status remains Down. After the timer expires, the device marks the RADIUS server status as Force-up. If a new user needs to be authenticated in RADIUS mode and no RADIUS server is available, the device attempts to re-establish a connection with a RADIUS server in Force-up status.
  • Down to Up: After receiving packets from the RADIUS server, the device changes the RADIUS server status from Down to Up. For example, after automatic detection is configured, the device receives response packets from the RADIUS server.
Conditions for Marking the RADIUS Server Status as Down

Whether the status of a RADIUS server can be marked as Down depends on the following factors:

  • Longest unresponsive interval of the RADIUS server (value of max-unresponsive-interval)
  • Number of times the RADIUS Access-Request packet is sent
  • Interval of sending the RADIUS Access-Request packet
  • Interval of detecting the RADIUS server status
  • Number of RADIUS server detection interval cycles
  • Maximum number of consecutive unacknowledged packets in each detection interval
The device marks the RADIUS server status as Down as long as either of the following conditions is met. Figure 1-12 shows the logic flowchart for marking the RADIUS server status as Down. In this example, the detection interval cycles two times:
  • The device marks the RADIUS server status as Down during the RADIUS server status detection.

    After the system starts, the RADIUS server status detection timer runs. If the device does not receive any packet from the RADIUS server after sending the first RADIUS Access-Request packet to the server and the condition that the number of times the device does not receive any packet from the server (n) is greater than or equal to the maximum number of consecutive unacknowledged packets (dead-count) is met in a detection interval, a communication interruption is recorded. If the device still does not receive any packet from the RADIUS server, the device marks the RADIUS server status as Down when recording the communication interruption for the same times as the detection interval cycles.

    NOTE:
    If the device does not record any communication interruption in a detection interval, all the previous communication interruption records are cleared.
  • The device marks the status of a RADIUS server as Down if no response is received from the server for a long period of time.

    If the user access frequency is low, the device receives only a few RADIUS Access-Request packets from users, and conditions for marking the RADIUS server status as Down during the RADIUS server status detection cannot be met, the device marks the status of the RADIUS server from which no response is received for a long period of time as Down to ensure that users can obtain escape authorization.

If multiple servers are configured in the RADIUS server template, the overall status detection time is related to the number of servers and the server selection algorithm. If a user terminal uses the client software for authentication and the timeout period of the terminal client software is less than the summary of all the status detection time, the terminal client software may dial up repeatedly and cannot access the network. If the user escape function is configured, the summary of all the status detection time must be less than the timeout period of the terminal client software to ensure that escape rights can be added to the users.

Figure 1-12  Logic flowchart for marking the RADIUS server status as Down

The following table lists the related commands.

Command

Description

radius-server { dead-interval dead-interval | dead-count dead-count | detect-cycle detect-cycle }

Configures conditions for marking the RADIUS server status as Down during the RADIUS server status detection.

  • dead-interval dead-interval: Specifies the detection interval. The default value is 5 seconds.
  • dead-count dead-count: Specifies the maximum number of consecutive unacknowledged packets. The default value is 2.
  • detect-cycle detect-cycle: Specifies the number of detection interval cycles. The default value is 2.
radius-server max-unresponsive-interval interval

Configures the longest unresponsive interval of the RADIUS server. The default value is 300 seconds.

If the device receives no RADIUS packet within the configured longest unresponsive interval after sending a RADIUS Access-Request packet to the RADIUS server, the device marks the RADIUS server status as Down.

radius-server dead-time dead-time

Configures the duration for which the RADIUS server status remains Down.

dead-time: Specifies the duration for which the RADIUS server status remains Down after the server status is marked as Down. After the duration expires, the device marks the server status as Force-up. The default value is 5 minutes.

Automatic Detection

After the RADIUS server status is marked as Down, you can configure the automatic detection function to test the RADIUS server reachability.

The automatic detection function needs to be manually enabled. The automatic server status detection function can be enabled only if the user name and password for automatic detection are configured in the RADIUS server template view on the device rather than on the RADIUS server. Authentication success is not mandatory. If the device can receive the authentication failure response packet, the RADIUS server is properly working and the device marks the RADIUS server status as Up. If the device cannot receive the response packet, the RADIUS server is unavailable and the device marks the RADIUS server status as Down.

After the automatic detection function is enabled, automatic detection is classified into the following conditions depending on differences of the RADIUS server status.

Server Status

Whether Automatic Detection Is Supported

Time When an Automatic Detection Packet Is Sent

Condition for Switching the Server Status

Down

Automatic detection is supported by default.

An automatic detection packet is sent after the automatic detection period expires.

If the device receives a response packet from the RADIUS server within the timeout period for detection packets, the device marks the RADIUS server status as Up; otherwise, the RADIUS server status remains Down.

Up

Automatic detection can be enabled using the radius-server detect-server up-server interval command.

An automatic detection packet is sent after the automatic detection period expires.

If the conditions for marking the RADIUS server status as Down are met, the device marks the RADIUS server status as Down; otherwise, the RADIUS server status remains Up.

Force-up

Automatic detection is supported by default.

An automatic detection packet is sent immediately.

If the device receives a packet from the RADIUS server within the timeout period, the device marks the RADIUS server status as Up; otherwise, the device marks the RADIUS server status as Down.

NOTE:

On a large-scale network, you are not advised to enable automatic detection for RADIUS servers in Up status. This is because if automatic detection is enabled on multiple NAS devices, the RADIUS server periodically receives a large number of detection packets when processing RADIUS Access-Request packets source from users, which may deteriorate processing performance of the RADIUS server.

The following table lists commands related to automatic detection.

Command

Description

radius-server testuser username user-name password cipher password

Enables the automatic detection function.

  • user-name: Specifies the user name for automatic detection.
  • password: Specifies the password for automatic detection.
radius-server detect-server interval interval Specifies the automatic detection interval for RADIUS servers in Down status. The default value is 60 seconds.
radius-server detect-server up-server interval interval Enables the automatic detection function for the RADIUS server in Up status and configures the automatic detection interval. The default value is 0 seconds; that is, the device does not automatically detect RADIUS servers in Up status.
radius-server detect-server timeout time-value Specifies the timeout period for automatic detection packets. The default value is 3 seconds.
Consecutive Processing After the RADIUS Server Status Is Marked as Down

After the device marks the RADIUS server status as Down, you can configure the escape function to make users obtain escape authorization. After the device detects that the RADIUS server status reverts to Up, you can configure the reauthentication function to make users obtain authorization from the server through reauthentication, as shown in Figure 1-13.

NOTE:

For 802.1X authenticated users and MAC address authenticated users, after the RADIUS server status reverts to Up, users exist from escape authorization and are reauthenticated. For Portal authenticated users, after the RADIUS server status reverts to Up, users obtain pre-connection authorization and can be redirected to the Portal server for authentication only if the users attempt to access network resources.

Figure 1-13  Consecutive processing after the RADIUS server status is marked as Down

The following table lists the commands for configuring the escape rights upon transition of the RADIUS server status to Down and configuring the reauthentication function, respectively.

Command

Description

authentication event authen-server-down action authorize { vlan vlan-id | service-scheme service-scheme-name | ucl-group ucl-group-name } [ response-fail ]

Configures the escape function upon transition of the RADIUS server status to Down.

authentication event authen-server-up action re-authen

Configures the reauthentication function for users in escape status when the RADIUS server status reverts to Up.

RADIUS CoA/DM

The device supports the RADIUS Change of Authorization (CoA) and Disconnect Message (DM) functions. CoA provides a mechanism to change the rights of online users, and DM provides a mechanism to forcibly disconnect users. This section contains the following contents:
RADIUS CoA/DM packet

Table 1-7 describes types of the CoA/DM packets.

Table 1-7  RADIUS CoA/DM packet

Packet Name

Description

CoA-Request

When an administrator needs to modify the rights of an online user (for example, prohibit the user from accessing a website), the RADIUS server sends this packet to the RADIUS client, requesting the client to modify the user rights.

CoA-ACK

If the RADIUS client successfully modifies the user rights, it returns this packet to the RADIUS server.

CoA-NAK

If the RADIUS client fails to modify the user rights, it returns this packet to the RADIUS server.

DM-Request

When an administrator needs to disconnect a user, the server sends this packet to the RADIUS client, requesting the client to disconnect the user.

DM-ACK

If the RADIUS client has disconnected the user, it returns this packet to the RADIUS server.

DM-NAK

If the RADIUS client fails to disconnect the user, it returns this packet to the RADIUS server.

Exchange Procedure

CoA allows the administrator to change the rights of an online user or perform reauthentication for the user through RADIUS after the user passes authentication. Figure 1-14 shows the CoA interaction process.

Figure 1-14  CoA interaction process

  1. The RADIUS server sends a CoA-Request packet to the device according to service information, requesting the device to modify user authorization information. This packet can contain authorization information including the ACL.
  2. Upon receiving the CoA-Request packet, the device performs a match check between the packet and user information on the device to identify the user. If the match succeeds, the device modifies authorization information of the user. Otherwise, the device retains the original authorization information of the user.
  3. The device returns a CoA-ACK or CoA-NAK packet as follows:
    • If authorization information is successfully modified, the device sends a CoA-ACK packet to the RADIUS server.
    • If authorization information fails to be modified, the device sends a CoA-NAK packet to the RADIUS server.

When a user needs to be disconnected forcibly, the RADIUS server sends a DM packet to the device. Figure 1-15 shows the DM interaction process.

Figure 1-15  DM interaction process

  1. The administrator forcibly disconnects a user on the RADIUS server. The RADIUS server sends a DM-Request packet to the device, requesting the device to disconnect the user.
  2. Upon receiving the DM-Request packet, the device performs a match check between the packet and user information on the device to identify the user. If the match succeeds, the user is notified to go offline. Otherwise, the user remains online.
  3. The device returns a DM-ACK or DM-NAK packet as follows:

    • If the user successfully goes offline, the device sends a DM-ACK packet to the RADIUS server.
    • Otherwise, the device sends a DM-NAK packet to the RADIUS server.

Different from the process in which authorization is performed for an online user or a user proactively goes offline, the server sends a request packet and the device sends a response packet in the CoA/DM process. If CoA/DM succeeds, the device returns an ACK packet. Otherwise, the device returns a NAK packet.

Session Identification

Each service provided by the NAS to a user constitutes a session, with the beginning of the session defined as the point where service is first provided and the end of the session defined as the point where service is ended.

After the device receives a CoA-Request or DM-Request packet from the RADIUS server, it identifies the user depending on some RADIUS attributes in the packet. The following RADIUS attributes can be used to identify users:
  • User-Name (IETF attribute #1)
  • Acct-Session-ID (IETF attribute #4)
  • Framed-IP-Address (IETF attribute #8)
  • Calling-Station-Id (IETF attribute #31)

The match methods are as follows:

  • any method

    The device performs a match check between an attribute and user information on the device. The priority for identifying the RADIUS attributes used by the users is as follows: Acct-Session-ID (4) > Calling-Station-Id (31) > Framed-IP-Address (8). The device searches for the attributes in the request packet based on the priority, and performs a match check between the first found attribute and user information on the device. If the attribute is successfully matched, the device responds with an ACK packet; otherwise, the device responds with a NAK packet.

  • all method

    The device performs a match check between all attributes and user information on the device. The device identifies the following RADIUS attributes used by the users: Acct-Session-ID (4), Calling-Station-Id (31), Framed-IP-Address (8), and User-Name (1). The device performs a match check between all the preceding attributes in the Request packet and user information on the device. If all the preceding attributes are successfully matched, the device responds with an ACK packet; otherwise, the device responds with a NAK packet.

Error Code Description

When the CoA-Request or DM-Request packet from the RADIUS server fails to match user information on the device, the device describes the failure cause using the error code in the CoA-NAK or DM-NAK packet. For the error code description, see Table 1-8 and Table 1-9.

Table 1-8  Error codes in a CoA-NAK packet

Name

Value

Description

RD_DM_ERRCODE_MISSING_ATTRIBUTE 402 The request packet lacks key attributes, so that the integrity check of the RADIUS attributes fails.
RD_DM_ERRCODE_INVALID_REQUEST 404 Parsing the attributes in the request packet fails.
RD_DM_ERRCODE_INVALID_ATTRIBUTE_VALUE 407 The request packet contains attributes that are not supported by the device or do not exist, so that the attribute check fails.

Contents of the authorization check include VLAN, ACL, CAR, number of the ACL used for redirection, and whether Huawei RADIUS extended attributes RD_hw_URL_Flag and RD_hw_Portal_URL can be authorized to the interface-based authenticated user.

Errors that may occur are as follows:
  • The authorized service scheme does not exist.
  • The authorized values of upstream and downstream priorities exceed the maximum values.
  • The ISP VLAN and outbound interface information are incorrectly parsed.
  • Reauthentication attributes and other attributes are authorized simultaneously.
RD_DM_ERRCODE_SESSION_CONTEXT_NOT_FOUND 503 The session request fails. The cause includes:
  • Authorization for the current request user is being processed.
  • The temporary RADIUS table fails to be requested.
  • User information does not match or no user is found.
  • The user is a non-RADIUS authentication user.
RD_DM_ERRCODE_RESOURCES_UNAVAILABLE 506 This error code is used for other authorization failures.
Table 1-9  Error codes in a DM-NAK packet

Name

Value

Description

RD_DM_ERRCODE_INVALID_REQUEST 404 Parsing the attributes in the request packet fails.
RD_DM_ERRCODE_SESSION_CONTEXT_NOT_REMOVABLE 504 The user fails to be deleted or the user does not exist.

RADIUS Attributes

RADIUS attributes are Attribute fields in RADIUS packets, which carry dedicated authentication, authorization, and accounting information. This chapter covers the following sections:

For more information about RADIUS attributes, use the AAA Attribute Query Tool.

Standard RADIUS Attributes

RFC2865, RFC2866, and RFC3576 define standard RADIUS attributes that are supported by all mainstream vendors. For details, see Table 1-10.

Table 1-10  Standard RADIUS attributes

Attribute No.

Attribute Name

Attribute Type

Description

1

User-Name

string

User name for authentication. The user name format can be user name@domain name, or just user name.

2

User-Password

string

User password for authentication, which is only valid for the Password Authentication Protocol (PAP).

3

CHAP-Password

string

Response value provided by a PPP Challenge-Handshake Authentication Protocol (CHAP) user in response to the challenge.

4

NAS-IP-Address

ipaddr

Internet Protocol (IP) address of the NAS carried in authentication request packets. By default, the attribute value is the source IP address of the authentication request packets sent by the NAS. You can change the attribute value to the specified IP address on the NAS using the radius-attribute nas-ip ip-address command.

5

NAS-Port

integer

Physical port number of the network access server that is authenticating the user, which is in either of the following formats:
  • new: slot ID (8 bits) + sub-slot ID (4 bits) + port number (8 bits) + Virtual Local Area Network (VLAN) ID (12 bits)
  • old: slot ID (12 bits) + port number (8 bits) + VLAN ID (12 bits)

6

Service-Type

integer

Service type of the user to be authenticated:
  • 2 (Framed): PPP or 802.1X access users
  • 5 (Outbound): IP session access user
  • 6 (Administrative): administrator
  • 8 (Authenticate Only): reauthentication only
  • 10 (Call Check): MAC address authentication user or MAC address bypass authentication user

7

Framed-Protocol

integer

Encapsulation protocol of Frame services:
  • For a non-management user, the value is fixed as 1.
  • For a management user, the value is fixed as 6.

8

Framed-IP-Address

ipaddr

User IP address.

11

Filter-Id

string

UCL group name, user group name, or IPv4 Access Control List (ACL) ID.

NOTE:
  • When this attribute carries the IPv4 ACL ID, the IPv4 ACL IDs must range from 3000 to 3999.

  • A RADIUS packet cannot carry the user group name, UCL group name, or IPv4 ACL ID simultaneously.

12

Framed-MTU

integer

Maximum transmission unit (MTU) of the data link between user and NAS. For example, in 802.1X Extensible Authentication Protocol (EAP) authentication, the NAS specifies the maximum length of the EAP packet in this attribute. An EAP packet larger than the link MTU may be lost.

14

Login-IP-Host

ipaddr

Management user IP address:
  • If the value is 0 or 0xFFFFFFFF, the IP address of management user is not checked.
  • If this attribute uses other values, the NAS checks whether the management user IP address is the same as the delivered attribute value.

15

Login-Service

integer

Service to use to connect the user to the login host:
  • 0: Telnet
  • 5: X25-PAD
  • 50: SSH
  • 51: FTP
  • 52: Terminal
NOTE:

An attribute can contain multiple service types.

18

Reply-Message

string

This attribute determines whether a user is authenticated:
  • When an Access-Accept packet is returned, the user is successfully authenticated.
  • When an Access-Reject packet is returned, the user fails authentication.

19

Callback-Number

string

Information sent from the authentication server and to be displayed to a user, such as a mobile number.

24

State

string

This Attribute is available to be sent by the server to the client in an Access-Challenge and MUST be sent unmodified from the client to the server in the new Access-Request reply to that challenge, if any.

25

Class

string

If the RADIUS server sends a RADIUS Access-Accept packet carrying the Class attribute to the NAS, the subsequent RADIUS Accounting-Request packets sent from the NAS must carry the Class attribute with the same value.

26

Vendor-Specific

string

Vendor-specific attribute. For details, see Table 1-11. A packet can carry one or more private attributes. Each private attribute contains one or more sub-attributes.

27

Session-Timeout

integer

In the Access-Request packet, this attribute indicates the maximum number of seconds a user should be allowed to remain connected.

In the Access-Challenge packet, this attribute indicates the duration for which EAP authentication users are reauthenticated.

The value of this attribute must be larger than 0.

NOTE:

This attribute is only valid for 802.1X, MAC address, and Portal authentication users.

When the RADIUS server delivers only this attribute, the value of attribute 29 Termination-Action is set to 0 (users are forced offline) by default.

28

Idle-Timeout

integer

Maximum number of consecutive seconds of idle connection the user is allowed before termination of the session or prompt.

NOTE:
  • This attribute is only valid for administrators and wireless users.
  • This attribute can be used together with the traffic and direction configured using the idle-cut command in the service scheme view. When no authorization service scheme is configured or this command is not configured in the service scheme, and a user does not produce upstream traffic within the idle-cut period, the user is disconnected.
  • In V200R012C00 and later versions, idle-cut is performed in seconds. In versions earlier than V200R012C00, idle-cut is performed in minutes. When a switch or an AC interconnects with an AP running a version earlier than V200R009C00, the idle-cut period is round up to an integer in seconds; for example, 60s is round up to 1 minute, and values 61s to 119s are round up to 2 minutes.

29

Termination-Action

integer

What action the NAS should take when the specified service is completed:
  • 0: forcible disconnection
  • 1: reauthentication
NOTE:

This attribute is only valid for 802.1X and MAC address authentication users.

When the RADIUS server delivers only this attribute, the value of attribute 27 Session-Timeout is set to 3600s (for 802.1X authentication users) or 1800s (for MAC address authentication users) by default.

30

Called-Station-Id

string

Number of the NAS. For wired users, it is the NAS MAC address.

31

Calling-Station-Id

string

This Attribute allows the NAS to send in the Access-Request packet the phone number that the call came from, using Automatic Number Identification (ANI) or similar technology.

32

NAS-Identifier

string

String identifying the network access server originating the Access-Request. By default, the attribute value is the host name of the user. You can change the attribute value to the VLAN ID of the user using the radius-server nas-identifier-format { hostname | vlan-id } command.

40

Acct-Status-Type

integer

Accounting-Request type:
  • 1: Accounting-Start packet
  • 2: Accounting-Stop packet
  • 3: Interim-Accounting packet

41

Acct-Delay-Time

integer

Number of seconds the client has been trying to send the accounting packet (excluding the network transmission time).

43

Acct-Output-Octets

integer

Number of bytes in downstream traffic, corresponding to the lower 32 bits in the data structure for storing the downstream traffic. Contents of this attribute and the RADIUS attribute 53 (Acct-Output-Gigawords) compose the downstream traffic.

The traffic unit must be the same as that of the RADIUS server and can be Byte, KByte, MByte, and GByte. To set the traffic unit for each RADIUS server, run the radius-server traffic-unit command. By default, the unit is Byte.

44

Acct-Session-Id

string

Accounting session ID. The Accounting-Start, Interim-Accounting, and Accounting-Stop packets of the same accounting session must have the same session ID.

The format of this attribute is: Host name (7 bits) + Slot ID (2 bits) + Subcard number (1 bit) + Port number (2 bits) + Outer VLAN ID (4 bits) + Inner VLAN ID (5 bits) + Central Processing Unit (CPU) Tick (6 bits) + User ID prefix (2 bits) + User ID (5 bits).

45

Acct-Authentic

integer

User authentication mode:
  • 1: RADIUS authentication
  • 2: Local authentication
  • 3: Other remote authentications

46

Acct-Session-Time

integer

How long (in seconds) the user has received service.

NOTE:

If the administrator modifies the system time after the user goes online, the online time calculated by the device may be incorrect.

48

Acct-Output-Packets

integer

Number of outgoing packets.

49

Acct-Terminate-Cause

string

Cause of a terminated session:
  • User-Request (1): The user requests termination of service.
  • Lost Carrier (2): The connection is torn down due to a handshake failure or heartbeat timeout, such as an ARP probe failure or PPP handshake failure.
  • Lost Service (3): The connection initiated by the peer device is torn down.
  • Idle Timeout (4): The idle timer expires.
  • Session Timeout (5): The session times out or the traffic threshold is reached.
  • Admin Reset (6): The administrator forces the user to go offline.
  • Admin Reboot (7): The administrator restarts the NAS.
  • Port Error (8): A port fails.
  • NAS Error (9): The NAS encounters an internal error.
  • NAS Request (10): The NAS ends the session due to resource changes.
  • NAS Reboot (11): The NAS automatically restarts.
  • Port Unneeded (12): The port is Down.
  • Port Preempted (13): The port is preempted.
  • Port Suspended (14): The port is suspended.
  • Service Unavailable (15): The service is unavailable.
  • Callback (16): NAS is terminating the current session to perform a callback for a new session.
  • User Error (17): User authentication fails or times out.
  • Host Request (18): A host sends a request.

53

Acct-Output-Gigawords

integer

Number of times the number of bytes in downstream traffic is greater than 4 GB (2^32), corresponding to the higher 32 bits in the data structure for storing the downstream traffic. Contents of this attribute and the RADIUS attribute 43 (Acct-Output-Octets) compose the downstream traffic.

The traffic unit must be the same as that of the RADIUS server and can be Byte, KByte, MByte, and GByte. To set the traffic unit for each RADIUS server, run the radius-server traffic-unit command. By default, the unit is Byte.

55

Event-Timestamp

integer

Time when an Accounting-Request packet is generated, represented by is the number of seconds elapsed since 00:00:00 of January 1, 1970.

60

CHAP-Challenge

string

Challenge field in CHAP authentication. This field is generated by the NAS for Message Digest algorithm 5 (MD5) calculation.

61

NAS-Port-Type

integer

NAS port type. The attribute value can be configured in the interface view. By default, the type is Ethernet (15).

64

Tunnel-Type

integer

Protocol type of the tunnel. The value is fixed as 13, indicating VLAN.

65

Tunnel-Medium-Type

integer

Medium type used on the tunnel. The value is fixed as 6, indicating Ethernet.

79

EAP-Message

string

Encapsulates Extended Access Protocol (EAP) packets so that RADIUS supports EAP authentication. When an EAP packet is longer than 253 bytes, the packet is encapsulated into multiple attributes. A RADIUS packet can carry multiple EAP-Message attributes.

80

Message-Authenticator

string

Authenticates and verifies authentication packets to prevent spoofing packets.

81

Tunnel-Private-Group-ID

string

Tunnel private group ID, which is used to deliver user VLAN IDs.

NOTE:

Authorization can be performed using the VLAN ID, VLAN description, VLAN name, and VLAN pool. The order in which authorization takes effect is as follows: VLAN ID > VLAN description > VLAN name > VLAN pool.

To make the VLAN authorization function take effect, ensure the correct access control mode is configured:
  • When the link type is hybrid in untagged mode, the access control mode can be MAC address or interface.
  • When the link type is access or trunk, the access control mode can only be interface.

85

Acct-Interim-Interval

integer

Interim accounting interval. The value ranges from 60 to 3932100, in seconds. It is recommended that the interval be at least 600 seconds.

87

NAS-Port-Id

string

Port of the NAS that is authenticating the user. The NAS-Port-Id attribute has the following formats:
  • New:

    For Ethernet access users, the NAS-Port-Id is in the format "slot=xx; subslot=xx; port=xxx; VLAN ID=xxxx", in which "slot" ranges from 0 to 15, "subslot" 0 to 15, "port" 0 to 255, and "VLAN ID" 1 to 4094.

    For ADSL access users, the NAS-Port-Id is in the format "slot=xx; subslot=x; port=x; VPI=xxx; VCI=xxxxx", in which "slot" ranges from 0 to 15, "subslot" 0 to 9, "port" 0 to 9, "VPI" 0 to 255, and "VCI" 0 to 65535.

  • New client-option82: The content of the circuit ID suboption in the Option 82 field is encapsulated into the NAS-Port-Id attribute in a RADIUS packet. The format of the NAS-Port-Id attribute is the same as that of the suboption.
  • Old:

    For Ethernet access users, the NAS-Port-Id is in the format "port number (2 characters) + sub-slot ID (2 bytes) + card number (3 bytes) + VLAN ID (9 characters)."

    For ADSL access users: port number (2 characters) + sub-slot ID (2 bytes) + card number (3 bytes) + VPI (8 characters) + VCI (16 characters). The fields are prefixed with 0s if they contain fewer bytes than specified.

  • Vendor 9: Uses the default format of Cisco for encapsulation.

89

Chargeable-User-Identity

string

Charging ID delivered by the server. To configure a device to support this attribute, run the radius-server support chargeable-user-identity [ not-reject ] command.

95

NAS-IPv6-Address

ipaddr

IPv6 address carried in the authentication request packet sent by the NAS. Both the NAS-IPv6-Address and NAS-IP-Address fields can be included in a packet.

96

Framed-Interface-Id

string

IPv6 interface identifier to be configured for the user.

97

Framed-IPv6-Prefix

ipaddr

IPv6 prefix to be configured for the user.

195

HW-SecurityStr

string

Security information of users in EAP relay authentication.

Huawei Proprietary RADIUS Attributes

RADIUS is a fully extensible protocol. The No. 26 attribute (Vendor-Specific) defined in RFC2865 can be used to extend RADIUS for implementing functions not supported by standard RADIUS attributes. Table 1-11 describes Huawei proprietary RADIUS attributes.

NOTE:

Extended RADIUS attributes contain the vendor ID of the device. The vendor ID of Huawei is 2011.

Table 1-11  Huawei proprietary RADIUS attributes

Attribute No.

Attribute Name

Attribute Type

Description

26-1

HW-Input-Peak-Information-Rate

integer

Peak information rate (PIR) at which the user accesses the NAS, which is the maximum rate of traffic that can pass through an interface. The value is a 4-byte integer, in bit/s. The HW-Input-Peak-Information-Rate must be higher than or equal to the HW-Input-Committed-Information-Rate. The default HW-Input-Peak-Information-Rate is equal to the HW-Input-Committed-Information-Rate.

26-2

HW-Input-Committed-Information-Rate

integer

Committed information rate (CIR) at which the user accesses the NAS, which is the allowed average rate of traffic that can pass through an interface. The value is a 4-byte integer, in bit/s.

NOTE:

This attribute must be specified when the rate of packets sent from the user to the NAS is limited.

26-3

HW-Input-Committed-Burst-Size

integer

Committed burst size (CBS) at which the user accesses the NAS, which is the average volume of burst traffic that can pass through an interface. The value is a 4-byte integer, in bit.

26-4

HW-Output-Peak-Information-Rate

integer

Peak information rate at which the NAS connects to the user. The value is a 4-byte integer, in bit/s. The HW-Output-Peak-Information-Rate must be higher than or equal to the HW-Output-Committed-Information-Rate. The default HW-Output-Peak-Information-Rate is equal to the HW-Output-Committed-Information-Rate.

26-5

HW-Output-Committed-Information-Rate

integer

Committed information rate at which the NAS connects to the user. The value is a 4-byte integer, in bit/s.

NOTE:

This attribute must be specified when the rate of packets sent from the NAS to the user is limited.

26-6

HW-Output-Committed-Burst-Size

integer

Committed burst size at which the NAS connects to the user. The value is a 4-byte integer, in bit.

26-15

HW-Remanent-Volume

integer

Remaining traffic. The unit is KB.

26-18

HW-UserName-Access-Limit

integer

Maximum number of users who are allowed to access the network using the same user name.

The limit is indicated by a particular numeric value as follows:
  • 0: indicates that no user is allowed to access the network.
  • 0xFFFFFFFF (4294967295): indicates that the number of users who are allowed to access the network using the same user name is not limited.
  • 1: indicates that only one user is allowed to access the network using a particular user name.
  • Other values: indicates a maximum number (specified by the particular value) of users who are allowed to access the network using the same user name.
NOTE:
This attribute can be carried only in Access-Accept packets.

26-26

HW-Connect-ID

integer

Index of a user connection.

26-28

HW-FTP-Directory

string

Initial directory of an FTP user.

26-29

HW-Exec-Privilege

integer

Management user (such as Telnet user) priority, ranging from 0 to 15. The priority that is greater than or equal to 16 is ineffective.

26-33

HW-VoiceVlan

integer

Voice VLAN authorization flag. The value 1 indicates that the authorized VLAN is the voice VLAN. This attribute is used with VLAN authorization attributes.

26-35

HW-ProxyRdsPkt

integer

This attribute specifies whether a RADIUS server is a proxy server:
  • If the Access-Accept packet returned by a server carries the HW-Proxy-RDS attribute with value 1, the server is the proxy server.
  • If the Access-Accept packet returned by a server carries the HW-Proxy-RDS attribute with value 0, the server is not the proxy server.

26-59

HW-NAS-Startup-Time-Stamp

integer

NAS start time, represented by the number of seconds elapsed since 00:00:00 of January 1, 1970.

26-60

HW-IP-Host-Address

string

User IP address and MAC address carried in authentication and accounting packets, in the format A.B.C.D hh:hh:hh:hh:hh:hh. The IP address and MAC address are separated by a space.

If the user's IP address is detected to be invalid during authentication, the IP address is set to 255.255.255.255.

26-75

HW-Primary-WINS

ipaddr

Primary WINS server address delivered by the RADIUS server after a user is successfully authenticated.

26-76

HW-Second-WINS

ipaddr

Secondary WINS server address delivered by the RADIUS server after a user is successfully authenticated.

26-78

HW-Output-Peak-Burst-Size

integer

Downstream peak rate, in bit/s.

26-82

HW-Data-Filter

string

The RADIUS server delivers an ACL rule to users through this attribute. The attribute has two formats: new format and old format. Compared with the old format, the ACL format length is shortened in the new format.

NOTE:

A RADIUS packet can carry multiple attributes 26-82. Currently, each attribute can carry only one ACL rule.

New attribute format (fields in the square brackets are optional)

The attribute format is: $number permit/deny [ protocol ] [ direction ip-address [ port ] ]

The fields are described as follows:
  • $: Start character of each ACL rule.
  • number: Last three digits in an ACL rule number, ranging from 0 to 999. The first two digits of an ACL rule number are fixed to 10. For example, if the value of this field is 12, the ACL rule number is 10012.
  • permit/deny: ACL action. permit indicates that the user access is allowed. deny indicates that the user access is denied.
  • protocol: Protocol type. The value can be tcp or udp.
  • direction: IP address type. The value can be dst or src. dst indicates a destination IP address and src indicates a source IP address.
  • ip-address: IP address. The value can be any or x.x.x.x/xx. x.x.x.x indicates an IP address in dotted decimal notation, xx indicates a mask in decimal notation, and / is added between the IP address and mask.
  • port: Port number. Currently, only one port is supported.
For example:
  • $1 permit dst 10.0.239.192/26
  • $2 permit udp src any 8080
  • $5 deny

Old attribute format

The attribute format is acl number key1 key-value1... keyN key-valueN permit/deny.

The fields are described as follows:
  • acl: Keyword, indicating that the ACL rule is delivered.
  • number: ACL rule number. The value ranges from 10000 to 10999.
  • keyM key-valueM(1≤M≤N): Keyword in an ACL rule and its value. The keyword value can be:
    • dest-ip ip-address: Specifies the destination IP address in dotted decimal notation. When the destination IP address is 0.0.0.0, this parameter can be omitted without configuration.
    • dest-ipmask mask: Specifies the destination IP mask. NAC users support only the destination IP mask that is an integer ranging from 1 to 32. VM users support only the destination IP mask that is in dotted decimal notation. When IP mask is 0, this parameter can be omitted without configuration.
    • tcp-srcport port: Specifies the source TCP start port number that ranges from 0 to 65535.
    • tcp-srcport-end port: Specifies the source TCP end port number that ranges from 0 to 65535 and must be larger than the start port number.
    • tcp-dstport port: Specifies the destination TCP start port number that ranges from 0 to 65535.
    • tcp-dstport-end port: Specifies the destination TCP end port number that ranges from 0 to 65535 and must be larger than the start port number.
    • udp-srcport port: Specifies the source UDP start port number that ranges from 0 to 65535.
    • udp-srcport-end port: Specifies the source UDP end port number that ranges from 0 to 65535 and must be larger than the start port number.
    • udp-dstport port: Specifies the destination UDP start port number that ranges from 0 to 65535.
    • udp-dstport-end port: Specifies the destination UDP end port number that ranges from 0 to 65535 and must be larger than the start port number.
  • permit/deny: ACL action. permit indicates that the user access is allowed. deny indicates that the user access is denied.
NOTE:

You are advised to use the standard RADIUS attribute Filter-Id to delivery ACL rules.

A maximum of 64 ACL rules can be delivered to a user. However, bear in mind that if too many ACL rules are delivered, the number of users who can be online and the available bandwidth will be affected. For this reason, you are recommended to deliver no more than 16 ACL rules to a user.

All keywords are case-insensitive. All keywords are separated from keyword values using spaces. The location of keywords is not fixed. The keywords permit and deny can be placed after number or the whole command line.

For example:
  • acl 10005 deny
  • acl 10006 tcp-dstport 5080 permit
  • acl 10007 dest-ip 10.11.11.2 dest-ipmask 32 permit
  • acl 10008 dest-ip 10.11.11.3 dest-ipmask 32 udp-dstport 5070 permit
  • acl 10009 dest-ip 11.11.11.2 dest-ipmask 32 udp-dstport 5070 udp-dstport-end 5080 deny

26-135

HW-Client-Primary-DNS

ipaddr

Primary DNS address delivered by the RADIUS server after a user is successfully authenticated.

26-136

HW-Client-Secondary-DNS

ipaddr

Secondary DNS address delivered by the RADIUS server after a user is successfully authenticated.

26-138

HW-Domain-Name

string

Name of the domain used for user authentication. This attribute can be the domain name contained in a user name or the name of a forcible domain.

26-142

HW-User-Information

string

User security check information delivered by the RADIUS server to an Extensible Authentication Protocol over LAN (EAPoL) user to notify the user of items that require security checks.

26-146

HW-Service-Scheme

string

Service scheme name. A service scheme contains user authorization information and policies.

26-153

HW-Access-Type

integer

User access type carried in the authentication and accounting request packets sent by the RADIUS client to the RADIUS server:
  • 1: Dot1x user
  • 2: MAC address authentication user or MAC address bypass authentication
  • 3: Portal authentication user
  • 4: Static user
  • 6: Management user
  • 7: PPP users

26-155

HW-URL-Flag

integer

This attribute specifies whether a Uniform Resource Locator (URL) is forcibly pushed when it is used with another attribute, for example, HW-Portal-URL:
  • 0: No
  • 1: Yes

26-156

HW-Portal-URL

string

Forcibly pushed URL.

If information delivered by the RADIUS server matches the configured URL template, the URL configured in the template is used. Otherwise, the character string delivered by the RADIUS server is used.

26-157

HW-Terminal-Type

string

Terminal type of a user.

26-158

HW-DHCP-Option

string

DHCP Option, encapsulated in Type-Length-Value (TLV) format. A packet may contain multiple HW-DHCP-Option attributes to carry Option information.

Only Option 82 can be delivered.

26-160

HW-UCL-Group

integer

Index of a UCL group.

26-163

HW-LLDP

string

LLDP information. A packet can contain multiple HW-LLDP-Info attributes to carry different options.

26-173

HW-Redirect-ACL

string

Redirection ACL. Redirection is performed for only the users matching the ACL rules. The ACL number or ACL name can be delivered. The ACL name must start with a character.

NOTE:

The value range of acl-number is from 3000 to 3999.

26-201

HW-User-Extend-Info

string

Extended user information. This attribute is contained in authentication and accounting request packets. A packet can contain multiple HW-User-Extend-Info attributes. The following describes extended user information:

  • User-Position: Service code of the location where a user goes online
  • User-Position-Type: Type of the location where a user goes online
  • AP-Device-Code: AP code
  • AP-POS-X: Longitude of a moving AP
  • AP-POS-Y: Latitude of a moving AP
  • Wifi-Density: Field strength
  • TERMINAL-POS-X: X coordinate of the terminal against AP, in meters
  • TERMINAL-POS-Y: Y coordinate of the terminal against AP, in meters
  • HW-Access-Time: user access time. The value is the number of seconds elapsed since 00:00:00 of January 1, 1970.

This attribute applies only to MAC address authentication and Portal authentication.

26-237 HW-Web-Authen-Info

string

Information sent from the portal server via the device (which transparently transmits the information) to the RADIUS server. For example, a user selects the authentication-free option and time information for next login, based on which the RADIUS server saves the MAC address of the user for a period of time. Upon the next login of the user, the login page is not displayed. Instead, MAC address authentication is preferentially used. This attribute can be used for transparent transmission in complex modes such as EAP.

26-238 HW-Ext-Specific

string

User extended attributes:
  • user-dscp-in: DSCP value of inbound user packets. The value ranges from 0 to 63.
  • user-dscp-out: DSCP value of outbound user packets. The value ranges from 0 to 63.
  • user-command: The value can be 1, 2, or 3.
    • 1: indicates that user reauthentication will be performed. In this case, you need to set the value of this attribute on the authentication server to user-command=1.
    • 2: indicates that the authentication interface will be disconnected intermittently. In this case, you need to run the undo radius-server authorization hw-ext-specific command bounce-port disable command on the device to configure it to support this attribute, and set the value of this attribute on the authentication server to user-command=2.
    • 3: indicates that the authentication interface will be disabled. In this case, you need to run the undo radius-server authorization hw-ext-specific command down-port disable command on the device to configure it to support this attribute, and set the value of this attribute on the authentication server to user-command=3.
NOTE:

When the value of user-command is 1, 2, or 3, other authorization attributes are not supported.

This attribute applies only to NAC users.

26-239 HW-User-Access-Info

string

User description profile information.
26-240 HW-Access-Device-Info

string

The authentication and accounting request packets carry the IP addresses, MAC addresses, and port numbers of access switches in policy association. The format is ip=A.B.C.D;mac=XXXX-XXXX-XXXX;slot=XX;subslot=XXX;port=XXX;vlanid=XXXX.

26-244

HW-Reachable-Detect

string

Server reachability detection information. Authentication packets carrying this attribute are server detection packets.

26-247

HW-Tariff-Input-Octets

string

Number of upstream bytes at the specified tariff level sent to the accounting server. This field is included in the accounting packets. The unit can be byte, kilobyte, megabyte, or gigabyte. The format is Tariff level:Number of upstream bytes. An accounting packet can contain the traffic of at most 8 tariff levels.

26-248

HW-Tariff-Output-Octets

string

Number of downstream bytes at the specified tariff level sent to the accounting server. This field is included in the accounting packets. The unit can be byte, kilobyte, megabyte, or gigabyte. The format is Tariff level:Number of downstream bytes. An accounting packet can contain the traffic of at most 8 tariff levels.

26-249

HW-Tariff-Input-Gigawords

string

Number of times larger the number of upstream bytes at the specified tariff level is than 4G. This field and the HW-Tariff-Input-Octets field specify the number of upstream bytes at the specified tariff level.

26-250

HW-Tariff-Output-Gigawords

string

Number of times larger the number of downstream bytes at the specified tariff level is than 4G. This field and the HW-Tariff-Output-Octets field specify the number of downstream bytes at the specified tariff level.

26-253

HW-Framed-IPv6-Address

ipaddr

IPv6 address to be configured for the user.

26-254

HW-Version

string

Software version of the device.

26-255

HW-Product-ID

string

NAS product name.

Huawei-supported Extended RADIUS Attributes of Other Vendors

Huawei devices support some extended RADIUS attributes of Microsoft, Cisco, and DSL Forum. For details, see Table 1-12.

Table 1-12  Huawei-supported extended RADIUS attributes of other vendors
Attribute No. Attribute Name Attribute Type Description
MICROSOFT-16 MS-MPPE-Send-Key

string

This attribute indicates the MPPE sending key.
MICROSOFT-17 MS-MPPE-Recv-Key

string

This attribute indicates the MPPE receiving key.
CISCO-1 Cisco-avpair

string

This attribute indicates the voice VLAN.
DSLFORUM-1 Agent-Circuit-Id

string

This Attribute contains information describing the subscriber agent circuit identifier corresponding to the logical access loop port of the Access Node/DSLAM from which a subscriber's requests are initiated.
DSLFORUM-2 Agent-Remote-Id

string

This attribute contains an operator-specific, statically configured string that uniquely identifies the subscriber on the associated access loop of the Access Node/DSLAM.
RADIUS Attributes Available in Packets
Different RADIUS packets carry different RADIUS attributes.
  • For the RADIUS attributes available in authentication packets, see Table 1-13.
  • For the RADIUS attributes available in accounting packets, see Table 1-14.
  • For the RADIUS attributes available in authorization packets, see Table 1-15.
NOTE:

The following describes the values in the tables:

  • 1: indicates that the attribute must appear once in the packet.
  • 0: indicates that the attribute cannot appear in the packet (it will be discarded if it is contained).
  • 0-1: indicates that the attribute can appear once or does not appear in the packet.
  • 0+: indicates that the attribute may appear multiple times or does not appear in the packet.
Table 1-13  RADIUS attributes available in authentication packets

Attribute No.

Access-Request

Access-Accept

Access-Reject

Access-Challenge

User-Name(1)

1

0-1

0

0

User-Password(2)

0-1

0

0

0

CHAP-Password(3)

0-1

0

0

0

NAS-IP-Address(4)

1

0

0

0

NAS-Port(5)

1

0

0

0

Service-Type(6)

1

0-1

0

0

Framed-Protocol(7)

1

0-1

0

0

Framed-IP-Address(8)

0-1

0-1

0

0

Filter-Id(11)

0

0-1

0

0

Framed-Mtu(12)

0-1

0

0

0

Login-IP-Host(14)

0-1

0-1

0

0

Login-Service(15)

0

0-1

0

0

Reply-Message(18)

0

0-1

0-1

0-1

Callback-Number(19)

0

0-1

0

0

State(24)

0-1

0-1

0

0-1

Class(25)

0

0-1

0

0

Session-Timeout(27)

0

0-1

0-1

0-1

Idle-Timeout(28)

0

0-1

0

0

Termination-Action(29)

0

0-1

0

0-1

Called-Station-Id(30)

0-1

0

0

0

Calling-Station-Id(31)

1

0-1

0

0

NAS-Identifier(32)

1

0

0

0

Acct-Session-id(44)

1

0

0

0

CHAP-Challenge(60)

0-1

0

0

0

NAS-Port-Type(61)

1

0

0

0

Tunnel-Type(64)

0

0-1

0

0

Tunnel-Medium-Type(65)

0

0-1

0

0

EAP-Message(79)

0-1

0-1

0-1

0-1

Message-Authenticator(80)

0-1

0-1

0-1

0-1

Tunnel-Private-Group-ID(81)

0

0-1

0-1

0

Acct-Interim-Interval(85)

0

0-1

0

0

NAS-Port-Id(87)

0-1

0

0

0

Chargeable-User-Identity(89) 0-1 0-1 0 0

NAS-IPv6-Address(95)

0-1

0

0

0

Framed-Interface-Id(96)

0+

0

0

0

Framed-IPv6-Prefix(97)

0+

0

0

0

HW-SecurityStr(195)

0-1

0

0

0

HW-Input-Peak-Information-Rate(26-1)

0

0-1

0

0

HW-Input-Committed-Information-Rate(26-2)

0

0-1

0

0

HW-Input-Committed-Burst-Size(26-3)

0

0-1

0

0

HW-Output-Peak-Information-Rate(26-4)

0

0-1

0

0

HW-Output-Committed-Information-Rate(26-5)

0

0-1

0

0

HW-Output-Committed-Burst-Size(26-6)

0

0-1

0

0

HW-Remanent-Volume(26-15)

0

0-1

0

0

HW-UserName-Access-Limit(26-18) 0

0-1

0 0

HW-Connect-ID(26-26)

1

0

0

0

Ftp-directory(26-28)

0

0-1

0

0

HW-Exec-Privilege(26-29)

0

0-1

0

0

HW-VoiceVlan(26-33)

0

0-1

0

0

HW-ProxyRdsPkt(26-35)

0

0-1

0

0

HW-NAS-Startup-Time-Stamp(26-59)

1

0

0

0

HW-IP-Host-Address(26-60)

1

0

0

0

HW-Primary-WINS(26-75)

0

0-1

0

0

HW-Second-WINS(26-76)

0

0-1

0

0

HW-Output-Peak-Burst-Size(26-78)

0

0-1

0

0

HW-Data-Filter(26-82)

0

0-1

0-1

0

HW-Client-Primary-DNS(26-135)

0

0-1

0

0

HW-Client-Secondary-DNS(26-136)

0

0-1

0

0

HW-Domain-Name(26-138)

1

0

0

0

HW-User-Information(26-142)

0

0-1

0

0

HW-Service-Scheme(26-146)

0

0-1

0

0

HW-Access-Type(26-153)

1

0-1

0

0

HW-URL-Flag(26-155)

0

0-1

0

0

HW-Portal-URL(26-156)

0

0-1

0

0

HW-Terminal-Type(26-157)

0-1

0

0

0

HW-DHCP-Option(26-158)

0+

0

0

0

HW-UCL-Group(26-160)

0

0-1

0

0

HW-LLDP(26-163)

0-1

0

0

0

HW-Redirect-ACL(26-173)

0

0-1

0

0

HW-User-Extend-Info(26-201)

0-1

0

0

0

HW-Web-Authen-Info(26-237)

1

0

0

0

HW-Ext-Specific(26-238)

0

1

0

0

HW-User-Access-Info(26-239)

1

0

0

0

HW-Access-Device-Info(26-240)

0-1

0

0

0

HW-Reachable-Detect(26-244)

0

0

0

0

HW-Framed-IPv6-Address(26-253)

0-1

0

0

0

HW-Version(26-254)

1

0

0

0

HW-Product-ID(26-255)

1

0

0

0

MS-MPPE-Send-Key(MICROSOFT-16)

0

0-1

0

0

MS-MPPE-Recv-Key(MICROSOFT-17)

0

0-1

0

0

Cisco-avpair(CISCO-1)

0

0-1

0

0

Agent-Circuit-Id(DSLFORUM-1)

0-1

0

0

0

Agent-Remote-Id(DSLFORUM-2)

0-1

0

0

0

Table 1-14  RADIUS attributes available in accounting packets

Attribute No.

Accounting-Request

(Start)

Accounting-Request

(Interim-Update)

Accounting-Request

(Stop)

Accounting-Response

(start)

Accounting-Response (Interim-Update)

Accounting-Response

(Stop)

User-Name(1)

1

1

1

0

0

0

NAS-IP-Address(4)

1

1

1

0

0

0

NAS-Port(5)

1

1

1

0

0

0

Service-Type(6)

1

1

1

0

0

0

Framed-Protocol(7)

1

1

1

0

0

0

Framed-IP-Address(8)

1

1

1

0

0

0

Class(25)

0-1

0-1

0-1

0

0

0

Session-Timeout(27)

0

0

0

0-1

0-1

0

Called-Station-Id(30)

NOTE:
For users who access the network through PPP authentication, this attribute is optional. If the authentication request packet does not carry this attribute, then neither does the accounting request packet.

1

1

1

0

0

0

Calling-Station-Id(31)

1

1

1

0

0

0

NAS-Identifier(32)

1

1

1

0

0

0

Acct-Status-Type(40)

1

1

1

0

0

0

Acct-Delay-Time(41)

0-1

1

1

0

0

0

Acct-Session-Id(44)

1

1

1

0

0

0

Acct-Authentic(45)

1

1

1

0

0

0

Acct-Session-Time(46)

0

1

1

0

0

0

Acct-Output-Packets(48)

0-1

0-1

0-1

0

0

0

Acct-Terminate-Cause(49)

0

0

1

0

0

0

Acct-Output-Gigawords(53)

0-1

0-1

0-1

0

0

0

Event-Timestamp(55)

1

1

1

0

0

0

NAS-Port-Type(61)

1

1

1

0

0

0

NAS-Port-Id(87)

1

1

1

0

0

0

Chargeable-User-Identity(89) 0-1 0-1 0-1 0 0 0

NAS-IPv6-Address(95)

0-1

0-1

0-1

0

0

0

HW-Input-Committed-Information-Rate(26-2)

1

1

1

0

0

0

HW-Output-Committed-Information-Rate(26-5)

1

1

1

0

0

0

HW-Connect-ID(26-26)

1

1

1

0

0

0

HW-IP-Host-Address(26-60)

1

1

1

0

0

0

HW-Domain-Name(26-138)

1

1

1

0

0

0

HW-AP-Information(26-141)

0-1

0-1

0-1

0

0

0

HW-User-Information(26-142)

0

0

0

0-1

0-1

0

HW-Access-Type(26-153)

0-1

0-1

0-1

0

0

0

HW-Terminal-Type(26-157)

0-1

0-1

0-1

0

0

0

HW-DHCP-Option(26-158)

0+

0+

0+

0

0

0

HW-HTTP-UA(26-159)

0-1

0-1

0-1

0

0

0

HW-LLDP(26-163)

0-1

0-1

0-1

0

0

0

HW-User-Extend-Info(26-201)

0-1

0-1

0-1

0

0

0

HW-Access-Device-Info(26-240)

0-1

0-1

0-1

0

0

0

HW-Reachable-Detect(26-244)

0

0

0

0

0

0

HW-Tariff-Input-Octets(26-247)

0

0-1

0-1

0

0

0

HW-Tariff-Output-Octets(26-248)

0

0-1

0-1

0

0

0

HW-Tariff-Input-Gigawords(26-249)

0

0-1

0-1

0

0

0

HW-Tariff-Output-Gigawords(26-250)

0

0-1

0-1

0

0

0

HW-Framed-IPv6-Address(26-253)

0-1

0-1

0-1

0

0

0

MS-MPPE-Send-Key(MICROSOFT-16)

0

0

0

0

0

0

MS-MPPE-Recv-Key(MICROSOFT-17) 0 0 0 0 0 0
Cisco-avpair(CISCO-1) 0 0 0 0 0 0
Agent-Circuit-Id(DSLFORUM-1) 0-1 0-1 0-1 0 0 0
Agent-Remote-Id(DSLFORUM-2) 0-1 0-1 0-1 0 0 0
Table 1-15  RADIUS attributes available in CoA/DM packets

Attribute No.

CoA REQUEST

CoA ACK

CoA NAK

DM REQUEST

DM ACK

DM NAK

User-Name(1)

0-1

0-1

0-1

0-1

0-1

0-1

NAS-IP-Address(4)

0-1

0-1

0-1

0-1

0-1

0-1

NAS-Port(5)

0-1

0

0

0-1

0

0

Framed-IP-Address(8)

0-1

0-1

0-1

0-1

0-1

0-1

Filter-Id(11)

0-1

0

0

0

0

0

Session-Timeout(27)

0-1

0

0

0

0

0

Idle-Timeout(28)

0-1

0

0

0

0

0

Termination-Action(29)

0-1

0

0

0

0

0

Calling-Station-Id(31)

0-1

0-1

0-1

0-1

0-1

0-1

NAS-Identifier(32)

0

0-1

0-1

0

0

0

Acct-Session-Id(44)

1

1

1

1

1

1

Tunnel-Type(64)

0-1

0

0

0

0

0

Tunnel-Medium-Type(65)

0-1

0

0

0

0

0

Tunnel-Private-Group-ID(81)

0-1

0

0

0

0

0

Acct-Interim-Interval(85)

0-1

0

0

0

0

0

NAS-Port-Id(87)

0-1

0

0

0-1

0

0

HW-Input-Peak-Information-Rate(26-1)

0-1

0

0

0

0

0

HW-Input-Committed-Information-Rate(26-2)

0-1

0

0

0

0

0

HW-Output-Peak-Information-Rate(26-4)

0-1

0

0

0

0

0

HW-Output-Committed-Information-Rate(26-5)

0-1

0

0

0

0

0

HW-Output-Committed-Burst-Size(26-6)

0-1

0

0

0

0

0

HW-Input-Peak-Burst-Size(26-77)

0-1

0

0

0

0

0

HW-Output-Peak-Burst-Size(26-78)

0-1

0

0

0

0

0

HW-Data-Filter(26-82)

0-1

0

0

0

0

0

HW-Service-Scheme(26-146)

0-1

0

0

0

0

0

HW-URL-Flag(26-155)

0-1

0

0

0

0

0

HW-Portal-URL(26-156)

0-1

0

0

0

0

0

HW-UCL-Group(26-160)

0-1

0

0

0

0

0

HW-Redirect-ACL(26-173)

0-1

0

0

0

0

0

HW-Ext-Specific(26-238)

1

0

0

0

0

0

MS-MPPE-Send-Key(MICROSOFT-16) 0 0 0 0 0 0
MS-MPPE-Recv-Key(MICROSOFT-17) 0 0 0 0 0 0
Cisco-avpair(CISCO-1) 0-1 0 0 0 0 0
Agent-Circuit-Id(DSLFORUM-1) 0-1 0 0 0 0 0
Agent-Remote-Id(DSLFORUM-2) 0-1 0 0 0 0 0

RADIUS Attribute Disablement and Translation

Different vendors support different collections of RADIUS attributes and each vendor may have their private attributes. As a result, RADIUS attributes of different vendors may be incompatible and RADIUS attributes sent between devices from different vendors fail to be parsed. To resolve this issue. the RADIUS attribute disablement and translation functions are often used in interconnection and replacement scenarios.

RADIUS Attribute Disablement

The RADIUS server may have RADIUS attributes with the same attribute IDs and names as but different encapsulation formats or contents from those on the device. In this case, you can configure the RADIUS attribute disablement function to disable such attributes. The device then does not parse these attributes after receiving them from the RADIUS server, and does not encapsulate these attributes into RADIUS packets to be sent to the server.

Currently, Huawei-supported RADIUS attributes (with Huawei-supported attribute names and IDs) in a sent or received packet can be disabled on a device.

RADIUS Attribute Translation

RADIUS attribute translation is used for achieve compatibility between RADIUS attributes defined by different vendors. For example, a Huawei device delivers the priority of an administrator using the Huawei proprietary attribute Exec-Privilege (26-29), whereas another vendor's NAS and the RADIUS server deliver this priority using the Login-service(15) attribute. In a scenario where the Huawei device and another vendor's NAS share one RADIUS server, users want the Huawei device to be compatible with the Login-service(15) attribute. After RADIUS attribute translation is configured on the Huawei device, the device automatically processes the Login-service(15) attribute in a received RADIUS authentication response packet as the Exec-Privilege (26-29) attribute.

Devices translate RADIUS attributes in a sent or received packet based on the Type, Length, and Value fields of the RADIUS attributes.
  • If translation between attributes A and B is configured in the transmit direction on the device and the device sends a packet containing attribute A, the Type field of the attribute is attribute B but the Value field is encapsulated based on the content and format of attribute A.
  • If translation between attributes A and B is configured in the receive direction on the device and the device receives a packet containing attribute A, it parses the Value field of attribute A as that of attribute B. To be specific, it can be understood that the device receives a packet containing attribute B instead of attribute A after attribute translation is configured.

Huawei-supported and non-Huawei-supported RADIUS attributes can be translated into each other. Table 1-16 shows the mode for translating Huawei-supported and non-Huawei-supported RADIUS attributes into each other.

NOTE:
  • The device can translate a RADIUS attribute of another vendor only if the length of the Type field in the attribute is 1 octet.
  • The device can translate the RADIUS attribute only when the type of the source RADIUS attribute is the same as that of the destination RADIUS attribute. For example, the types of NAS-Identifier and NAS-Port-Id attributes are string, and they can be translated into each other. The types of NAS-Identifier and NAS-Port attributes are string and integer respectively, they cannot be translated into each other.

Table 1-16  RADIUS attribute translation mode
Whether Huawei Supports the Source RADIUS Attribute Whether Huawei Supports the Destination RADIUS Attribute Supported Translation Direction Configuration Command (RADIUS Server Template View)
Supported Supported Transmit and receive directions

radius-attribute translate src-attribute-name dest-attribute-name { receive | send | access-accept | access-request | account-request | account-response } *

Supported Not supported Transmit direction

radius-attribute translate extend src-attribute-name vendor-specific dest-vendor-id dest-sub-id { access-request | account-request } *

Not supported Supported Receive direction

radius-attribute translate extend vendor-specific src-vendor-id src-sub-id dest-attribute-name { access-accept | account-response } *

Translation
Download
Updated: 2019-04-20

Document ID: EDOC1100066170

Views: 23441

Downloads: 6

Average rating:
This Document Applies to these Products
Related Version
Related Documents
Share
Previous Next